Sylvain Duloutre's Weblog (Comments)https://blogs.oracle.com/sduloutr/
Blog for Sylvain Duloutreen-usCopyright 2015Wed, 11 Mar 2015 17:58:24 +0000Apache Roller BLOGS401ORA6 (20130904125427)https://blogs.oracle.com/sduloutr/entry/reusing_passwords_encoded_with_custom#comment-1421754534663Re: Reusing passwords encoded with custom hash in OUDSylvain DuloutreTue, 20 Jan 2015 11:48:54 +0000Hello,
Passwords will be migrated automatically to the new OOTB algo as users change their password. OUD supports authentication based on any supported password format but password will be stored using the password algo specified in the password policy when the password is changed. So some entries might still have the old algo while others use the new one. If you want to do a full switch to the new algo, you can force users to change their passwords.https://blogs.oracle.com/sduloutr/entry/reusing_passwords_encoded_with_custom#comment-1420759650068Re: Reusing passwords encoded with custom hash in OUDAsifThu, 8 Jan 2015 23:27:30 +0000Sylvian, should we also use the above approach to migrate user passwords from one OOTB supported hash algorithm to another OOTB hash algorithm (e.g. from Unsalted SHA1 to Salted SHA512)? Or is there a simpler approach or an OOTB plugin / function provided by Oracle for doing that?https://blogs.oracle.com/sduloutr/entry/an_additional_log_file_for#comment-1412244244148Re: An additional log file for OUD: server.outSylvain DuloutreThu, 2 Oct 2014 10:04:04 +0000Btw it would be more convenient to use the OUD forum at https://community.oracle.com/community/fusion_middleware/identity_management/oracle_directory_server_enterprise_edition_sun_dsee to troubleshoot or discusshttps://blogs.oracle.com/sduloutr/entry/an_additional_log_file_for#comment-1412244117798Re: An additional log file for OUD: server.outSylvain DuloutreThu, 2 Oct 2014 10:01:57 +0000Hello,
The server.out is used mostly during the startup phase to log messages when the regular loggers are not yet initialized. So it should not grow.
Could you share a short snipplet of this log file (end of file would be better) ?
Thanks
-Sylvainhttps://blogs.oracle.com/sduloutr/entry/an_additional_log_file_for#comment-1412163234564Re: An additional log file for OUD: server.outAlekseiWed, 1 Oct 2014 11:33:54 +0000Hi,
can i limit somehow the size of this file (server.out)?
the size can reach 10Gb and to much for me.https://blogs.oracle.com/sduloutr/entry/transition_guide_from_dsee_to#comment-1403535235016Re: Transition Guide from DSEE to OUD just publishedguestMon, 23 Jun 2014 14:53:55 +0000Thanks for your interest in my blog and in OUD.
Blog comments are not very convenient for having a discussion so I would encourage to post your comments directly to the OUD Forum at https://community.oracle.com/community/developer/english/fusion_middleware/identity_management/oracle_directory_server_enterprise_edition_sun_dsee
Replication gateway is indeed used in general during transiting phases.
It provides strong consistency replication between DSEE and OUD. On the OUD side, Roles are replaced by groups, so technically, the simplest way t o migrate would be to transition from roles to groups on the odsee side before the actual transition. Complexity of this task depends on how roles are used.
Regarding password policy state migration, the replication gateway (and OUD) understand password policy state in DS6 mode only. The replication gateway can work with a DSEE in DS5 mode, however locked accounts on the DSEE side wont be replicated as locked accounts automatically to OUD. This might be an option only if you do not rely on global (cross DSEE/OUD) account lockout features during the transition period.
Switching to DS6 mode enables storage of account lock status in a standard way. however storage of the actual attributes is done when user password is changed only. The gateway and OUD requires presence of the standard lock status in all the user entries to provide global account lock. In ODSEE 11.1.1.7, there is a administrative tasks you can run on your existing data to generate the appropriate internal state.
Hope this helps.
Looking forward to hearing from you on the OUD Forums
-Sylvainhttps://blogs.oracle.com/sduloutr/entry/transition_guide_from_dsee_to#comment-1402952352435Re: Transition Guide from DSEE to OUD just publisheddsee2oudMon, 16 Jun 2014 20:59:12 +0000Hi Sylvain, Let me start with thank you for all of your articles; they are treasure trove.
We are currently planning to migrate from ODSEE to OUD using the guidance in the Transition guide. We were using Non-Standard Roles ( nsRole) in ODSEE i.e. end applications use the nsRoles for coarse grained access control at application server level. having said that, we have the following questions:
1. We want to go with the Replication Gateway approach to keep data in synch (between ODSEE and OUD) during the transition phase.
2. From the documentation we understand the Role replication is currently not supported. What is the recommended way to transition the roles over to OUD ? Do we just manually migrate the roles into groups and let Replication Gateway take care of other objects - is that possible or do we have to go with the manual replication route?
3. Also we noticed that the password policies on ODSEE are DS5-mode. WOuld changing it to DS6-mode have impact on any user password data?https://blogs.oracle.com/sduloutr/entry/provisoning_to_oud_using_the#comment-1399906640436Re: Provisioning to OUD using the OIM connector for OUDEli KleinmanMon, 12 May 2014 14:57:20 +0000Thanks for the reply,
We are looking for a replacement of the ISW functionality using a plugin in ODSEE to get password changes, we would hope to get the same functionality in OIM + OUD.
Thnaks,
Elihttps://blogs.oracle.com/sduloutr/entry/provisoning_to_oud_using_the#comment-1399905222911Re: Provisioning to OUD using the OIM connector for OUDSylvain DuloutreMon, 12 May 2014 14:33:42 +0000Technically, the connector could detect password changes from the OUD change log however it would have access to the encoded password form, not the plain text password, so it is not possible to update the OIM DB with it.https://blogs.oracle.com/sduloutr/entry/provisoning_to_oud_using_the#comment-1398952684847Re: Provisioning to OUD using the OIM connector for OUDEli KleinmanThu, 1 May 2014 13:58:04 +0000Can the OIM OUD Connector intercet OUD password changes?https://blogs.oracle.com/sduloutr/entry/creating_a_new_naming_context#comment-1395822340654Re: Creating a new naming context in OUDSylvain DuloutreWed, 26 Mar 2014 08:25:40 +0000Sure. You can use a java LDAP sdk. You can google to find one.https://blogs.oracle.com/sduloutr/entry/creating_a_new_naming_context#comment-1395814937111Re: Creating a new naming context in OUDguestWed, 26 Mar 2014 06:22:17 +0000hello,can I add entries into OUD using java?https://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1395070697677Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing DirectoriesguestMon, 17 Mar 2014 15:38:17 +0000Mr. Everton,
Indeed, the orclAci may be present in LDAP entries generated by dbca.
However, this attribute should be filtered out by OUD when EUS support is enabled, so I would suspect a configuration problem on the OUD side.
Using Blog comment is not the most convenient way to discuss so I would encourage you to go to the OUD forum
and post again the problem description and the OUD configuration file
Best Regards,
Sylvainhttps://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1395068778881Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing DirectoriesSylvain DuloutreMon, 17 Mar 2014 15:06:18 +0000EUS requires access to the (hashed) user password.
It is not possible to retrieve the user password from AD, that's the reason why the DLL captures user passwords and store them in another attribute in AD so that it can be made accessible to EUS.https://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1394628534291Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing DirectoriesEvertonWed, 12 Mar 2014 12:48:54 +0000Mr. Sylvain,
I am trying to deploy the scenario &quot;Active Directory Integration with Kerberos Authentication&quot;.
I have successfully installed OUD as a proxy to my Active Directory. When I connect to OUD, it is showing my AD directory. I have installed OUD proxy with EUS enabled (I&rsquo;ve chosen this option during oud-proxy-setup GUI).
However, when I try DBCA, it finishes with a TNS-04409 and TNS-04405 error. The OUD access log shows a &ldquo;Attribute not allowed&rdquo; message (orclAci attribute is not defined by any objectclass).
Is there a way to have the orclAci on OUD? (I cannot extend my AD schema)
Am I missing something during OUD installation/configuration?
Best regards
Evertonhttps://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1394558486951Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing DirectoriesguestTue, 11 Mar 2014 17:21:26 +0000Can EUS passthrough authentication works with AD without using oidpwdcn.dll
If it is a passthrough, why you are still synching the passwords from AD?https://blogs.oracle.com/sduloutr/entry/mentoring_at_sun#comment-1392283303142Re: Mentoring at SunSylvain DuloutreThu, 13 Feb 2014 09:21:43 +0000Hi Chuck,
Oracle has its own mentoring program (I am part of), but it is not based on the &quot;platform&quot; built by Katy Dickinson...
Cheers
-Sylvainhttps://blogs.oracle.com/sduloutr/entry/mentoring_at_sun#comment-1392257411057Re: Mentoring at SunguestThu, 13 Feb 2014 02:10:11 +0000Sylvain, I remember when Katy dickinson developed the mentoring problem at Sun. Is it being used at Oracle?
Chuck Walrad
Chair, IEEE Computer Society PAB-IThttps://blogs.oracle.com/sduloutr/entry/preparing_migration_to_oracle_unified#comment-1387272060365Re: Migration Stategy to Oracle Unified Directorysylvain duloutreTue, 17 Dec 2013 09:21:00 +0000hello,
It is possible to migrate data from AD to OUD as long as you can export data from AD in LDIF format. However, you wont be able to migrate passwords as they cannot be extracted from AD.https://blogs.oracle.com/sduloutr/entry/preparing_migration_to_oracle_unified#comment-1386817744530Re: Migration Stategy to Oracle Unified DirectoryguestThu, 12 Dec 2013 03:09:04 +0000Hi Sylvain, Your post is great. Helped me a lot. But I was wondering if there is a way to migrate data from Microsoft AD to OUD.https://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1384776491921Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing Directoriessylvain duloutreMon, 18 Nov 2013 12:08:11 +0000Hi,
Yes it is possible to pass through authentication using the PTA (Path-through authentication) workflow element in OUD. Binds only are forwarded to any third party directory including AD.https://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1383028410819Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing DirectoriesguestTue, 29 Oct 2013 06:33:30 +0000Hi Sylvain
Is it possible to configure the OUD proxy to pass through authentications that match a specific dn (i.e. using a network group) to AD without configuring EUS and without modifying the AD schema? We would prefer to not have to use OVD to do this.
Thanks
Richardhttps://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1382702203997Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing DirectoriesguestFri, 25 Oct 2013 11:56:43 +0000Salut Gregory,
The current OUD documentation is rather scarse on that specific subject.
Basically you just need to deploy a OUD proxy with EUS enabled as described at http://docs.oracle.com/cd/E37116_01/admin.111210/e22648/eus.htm#CJAGIBFF
The proxy points to AD via a LDAP Proxy workflow element
You also have to modify the attribute orclkrbprincipalattribute in the EUS config (cn=OracleContext) to the attribute name storing the kerberos principal on AD.
That's basically it.
I'll write a post on that specific subject with the detailed procedure when I have a chance
-Sylvainhttps://blogs.oracle.com/sduloutr/entry/oud_eus_take_2_db#comment-1382168760104Re: OUD&EUS Take 2: DB Accounts Proxy-ed by OUD into existing DirectoriesGregorySat, 19 Oct 2013 07:46:00 +0000Bonjour Sylvain,
I'm very interested with the new 11.1.2.1 &quot;Active Directory Integration with Kerberos Authentication&quot; option. I've discovered it in your white-paper and on your blog and the fact it doesn't require to extend the AD schema just shines (plus Kerberos doesn't require ASO on the DB side anymore)
Unfortunately, I did not find any place where this option is documented as I would need. What I've found in the 11.1.2.1 documentation still looks to be only about Password-based EUS/OUD/AD Integration.
Can you help me by pointing the documentation or a support note ? It it works, it would be our preferred production platform compared to OVD/OID.
Best Regards,
Gregoryhttps://blogs.oracle.com/sduloutr/entry/installing_oracle_unified_directory_in#comment-1380038579216Re: Installing Oracle Unified Directory in silent modeguestTue, 24 Sep 2013 16:02:59 +0000The -record trick was a nice tip; thanks!https://blogs.oracle.com/sduloutr/entry/migrating_dsee_ssl_certificates_to#comment-1378290472591Re: Migrating SSL Certificates to OUDSylvain DuloutreWed, 4 Sep 2013 10:27:52 +0000Hello,
ora 28030 usually corresponds to a connectivity problem with the LDAP directory server.
It might be easier to start a discussion about that on a forum (e.g https://forums.oracle.com/community/developer/english/fusion_middleware/identity_management/oracle_directory_server_enterprise_edition_sun_dsee instead of using comments in a blog.https://blogs.oracle.com/sduloutr/entry/migrating_dsee_ssl_certificates_to#comment-1378287166920Re: Migrating SSL Certificates to OUDdik paterWed, 4 Sep 2013 09:32:46 +0000Sylvain,
We installed oud 11121, we can resolve tns entries but we cannot use EUs.
We get ora 28030.
Do you have a solution or test that i can try.
Regards.
Dik .https://blogs.oracle.com/sduloutr/entry/migrating_dsee_ssl_certificates_to#comment-1378287082875Re: Migrating SSL Certificates to OUDdik paterWed, 4 Sep 2013 09:31:22 +0000Sylvain,
We installed oud 11121, we can resolve tns entries but we cannot use EUs.
We get ora 28030.
Do you have a solution or test that i can try.
Regards.
Dik .https://blogs.oracle.com/sduloutr/entry/oud_eus_take_1_db#comment-1378276122444Re: OUD&EUS Take 1: DB Accounts Stored in OUDSylvain DuloutreWed, 4 Sep 2013 06:28:42 +0000OUD requires the ODS+ licence as decribed at http://www.oracle.com/us/products/middleware/identity-management/oracle-directory-services/directoryservicesplus-ds-404374.pdf
It gives you the rights to use all Oracle Directory products.https://blogs.oracle.com/sduloutr/entry/oud_eus_take_1_db#comment-1378262244284Re: OUD&EUS Take 1: DB Accounts Stored in OUDguestWed, 4 Sep 2013 02:37:24 +0000Is OUD free for EUS? or any license cost involved?